Hi Mike, Also, have you tested the strong user/group based access control, EAP client certificate auth, and stateful application layer filtering for VPN remote access client connections? HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Michael Bertelsen [mailto:mbe@xxxxxxxxxxxxx] Sent: Friday, October 22, 2004 8:50 AM To: [ISAserver.org Discussion List] Subject: [isalist] ISA server and secure VPN clients http://www.ISAserver.org Hi Up until the release of ISA Server 2004, the use of Microsoft VPN Clients were thought of as only being semi secure, since you have no way of blocking the use of split tunneling. From the Client, you were always able to access the local LAN as well as any subnet entered into the routing table, when the VPN tunnel was active. With VPN Quarantining for RRas on Windows Server 2003 you were able to test on several things on the client before establishing the tunnel, but as soon as the VPN tunnel was established you could easily change the routing table, and there by effectively use spilt tunneling. Also, using RRas policies you can severely lockdown the vpn tunnel it self. Does anybody know if this problem has been solved with the release of ISA server 2004 ?? I have a hard time seeing how a secure ISA VPN gateway can rectify the insecure vpn client. The only thing I see as a possible solution is if i.e. Windows XP SP2 supports an advanced setup, and you set a Quarantine policy to only allow clients running Windows XP SP2. I look forward to your thoughts on this ! Mike ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx